Tuesday, 21 February 2012

A Black Eye for Google

According to several sources, Google Chrome has been actively violating the privacy of its users. The following excerpt details Microsoft's investigations into this behaviour:

Google Bypassing User Privacy Settings

Microsoft Corporation

404,807 Recent Achievements 3 3 4 Blogs All-Star Blog Commentator III Blog
Commentator II View Profile Monday, February 20, 2012 10:31 AM Comments 146
When the IE team heard that Google had bypassed user privacy settings on
Safari, we asked ourselves a simple question: is Google circumventing the
privacy preferences of Internet Explorer users too? We've discovered the
answer is yes: Google is employing similar methods to get around the default
privacy protections in IE and track IE users with cookies. Below we spell
out in more detail what we've discovered, as well as recommendations to IE
users on how to protect their privacy from Google with the use of IE9's
Tracking Protection feature. We've also contacted Google and asked them to
commit to honoring P3P privacy settings for users of all browsers.

We've found that Google bypasses the P3P Privacy Protection feature in IE.
The result is similar to the recent reports of Google's circumvention of
privacy protections in Apple's Safari Web browser, even though the actual
bypass mechanism Google uses is different.

Internet Explorer 9 has an additional privacy feature called Tracking
Protection which is not susceptible to this type of bypass. Microsoft
recommends that customers who want to protect themselves from Google's
bypass of P3P Privacy Protection use Internet Explorer 9 and click here to
add a Tracking Protection List. Customers can find additional lists and
information on this page.

Background: Google Bypassing Apple's Privacy Settings
A recent front page Wall Street Journal article described how Google
"bypassed Apple browser settings for guarding privacy." The editor and CEO
of Business Insider, a business news and analysis site, summarized the
situation:

Google secretly developed a way to circumvent default privacy settings
established by a. competitor, Apple. [and] Google then used the workaround
to drop ad-tracking cookies on the Safari users, which is exactly the sort
of practice that Apple was trying to prevent.

Third-party cookies are a common mechanism used to track what people do
online.  Safari protects its users from being tracked this way by a default
user setting that blocks third-party cookies.  Here's Business Insider's
summary:

What Safari does NOT allow, by default, is for third-party . cookies on
users' computers without their permission. It is these ad-tracking cookies
that cause lots of Internet users to freak out that their privacy is being
violated, so it's understandable that Apple decided to block them by
default.

But these default settings have created a problem for Google, at least with
respect to its goals for its advertising business.

Google's approach to third-party cookies seems to have the side effect of
Safari believing they are first-party cookies.

What Happens in IE
By default, IE blocks third-party cookies unless the site presents a P3P
Compact Policy Statement indicating how the site will use the cookie and
that the site's use does not include tracking the user. Google's P3P policy
causes Internet Explorer to accept Google's cookies even though the policy
does not state Google's intent.

P3P, an official recommendation of the W3C Web standards body, is a Web
technology that all browsers and sites can support. Sites use P3P to
describe how they intend to use cookies and user information. By supporting
P3P, browsers can block or allow cookies to honor user privacy preferences
with respect to the site's stated intentions.

It's worth noting that users cannot easily access P3P policies. Web sites
send these policies directly to Web browsers using HTTP headers. The only
people who see P3P descriptions are technically skilled and use special
tools, like the Cookie inspector in the Fiddler tool. For example, here is
the P3P Compact Policy (CP) statement from Microsoft.com:

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR
SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Each token (e.g. ALL, IND) has a specific meaning for a P3P-compliant Web
browser. For example, 'SAMo' indicates that 'We [the site] share information
with Legal entities following our practices,' and 'TAI' indicates
'Information may be used to tailor or modify content or design of the site
where the information is used only for a single visit to the site and not
used for any kind of future customization.' The details of privacy are
complex, and the P3P standard is complex as well. You can read more about
P3P here.

Technically, Google utilizes a nuance in the P3P specification that has the
effect of bypassing user preferences about cookies. The P3P specification
(in an attempt to leave room for future advances in privacy policies) states
that browsers should ignore any undefined policies they encounter. Google
sends a P3P policy that fails to inform the browser about Google's use of
cookies and user information. Google's P3P policy is actually a statement
that it is not a P3P policy. It's intended for humans to read even though
P3P policies are designed for browsers to "read":

P3P: CP="This is not a P3P policy! See
http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for
more info."

P3P-compliant browsers interpret Google's policy as indicating that the
cookie will not be used for any tracking purpose or any purpose at all. By
sending this text, Google bypasses the cookie protection and enables its
third-party cookies to be allowed rather than blocked. The P3P specification
("4.2 Compact Policy Vocabulary") calls for IE's implemented behavior when
handling unknown tokens: "If an unrecognized token appears in a compact
policy, the compact policy has the same semantics as if that token was not
present."

Similarly, it's worth noting section "3.2 Policies" from the P3P
specification:

3.2 Policies
In cases where the P3P vocabulary is not precise enough to describe a Web
site's practices, sites should use the vocabulary terms that most closely
match their practices and provide further explanation in the CONSEQUENCE
field and/or their human-readable policy. However, policies MUST NOT make
false or misleading statements.

P3P is designed to support sites that convey their privacy intentions.
Google's use of P3P does not convey those intentions in a manner consistent
with the technology.

Because of the issues noted above, and the ongoing development of new
mechanisms to track users that do not involve cookies, our focus is on the
new Tracking Protection technology.

Next Steps
After investigating what Google sends to IE, we confirmed what we describe
above. We have made a Tracking Protection List available that IE9 users can
add by clicking here as a protection in the event that Google continues this
practice. Customers can find additional lists and information on this page.

The premise of Tracking Protection in IE9 is that tracking servers never
have the opportunity to use cookies or any other mechanism to track the user
if the user never sends anything to a tracking server. This logic underlies
why Tracking Protection blocks network requests entirely. This new
technology approach is currently undergoing the standardization process at
the W3C.

This blog post has additional information about IE's cookie controls, and
shows how you can block all cookies from a given site (e.g. *.google.com)
regardless of whether they are first- or third-party. This method of
blocking cookies would not be subject to the methods Google used. We
recommend that users not yet running IE9 take steps described in this post.

Given this real-world behavior, we are investigating what additional changes
to make to our products. The P3P specification says that browsers should
ignore unknown tokens. Privacy advocates involved in the original
specification have recently suggested that IE ignore the specification and
block cookies with unrecognized tokens. We are actively investigating that
course of action.

―Dean Hachamovitch, Corporate Vice President, Internet Explorer

No comments:

Post a Comment